Trust your OpenID Provider?

As we ourselves just started an OpenID Provider in Germany (because at tht time we decided to do so, could not find a provider for our customers who would legally protect them), I am fairly familiar with the implementation details.

And yes, as a provider you just have to have “knowledge” at least about which identity (URL) has a relationship with which consumer site. Without this you lose any of the benefits. In fact you would render the whole thing unusable.

But on the other hand, that’s it. And of course a matter trust.
You don’t have to provide any other data.

So, go and look for providers, that just don’t track anything. (We ourselves are not even technically prepared to. And since we don’t collect that data, we just cannot evaluate them.) Look into their Terms and if that promise is written down there. In Germany customers are protected by such terms, the German TMG and DDSG.

Maybe you’ll even find some, who implemented some other features to make users a little bit less visible.

In the meantime I can only second you in saying, that google will most probably know more about you at any time than your IdP ever will.

I just commented on that at
deltalima2

Boris

As we ourselves just started an OpenID Provider in Germany (because at tht time we decided to do so, could not find a provider for our customers who would legally protect them), I am fairly familiar with the implementation details.

And yes, as a provider you just have to have “knowledge” at least about which identity (URL) has a relationship with which consumer site. Without this you lose any of the benefits. In fact you would render the whole thing unusable.

But on the other hand, that’s it. And of course a matter trust.
You don’t have to provide any other data.

So, go and look for providers, that just don’t track anything. (We ourselves are not even technically prepared to. And since we don’t collect that data, we just cannot evaluate them.) Look into their Terms and if that promise is written down there. In Germany customers are protected by such terms, the German TMG and DDSG.

Maybe you’ll even find some, who implemented some other features to make users a little bit less visible.

In the meantime I can only second you in saying, that google will most probably know more about you at any time than your IdP ever will.

I just commented on that at
deltalima2

Boris

Boris, first I just edited the link you provided for your comment on deltalima2′s blog. Hope, that’s ok.

Although big companies like AOL are adopting it, OpenID is still pretty unknown to most people. Also development of the specs is still in progress. So I am sure that there will be some more improvements on the security site of things (e.g. phishing) in the future. I actually think that users will register with those providers who will provide the best service in terms of security. There will be competition between IdP’s.

I didn’t know about Xlogon before. Good to know that there is another provider in Germany.

Carsten

Boris, first I just edited the link you provided for your comment on deltalima2′s blog. Hope, that’s ok.

Although big companies like AOL are adopting it, OpenID is still pretty unknown to most people. Also development of the specs is still in progress. So I am sure that there will be some more improvements on the security site of things (e.g. phishing) in the future. I actually think that users will register with those providers who will provide the best service in terms of security. There will be competition between IdP’s.

I didn’t know about Xlogon before. Good to know that there is another provider in Germany.

Carsten

Thanks for listing us at magnolia

Maybe you didn’t know about us because we started the service
only recently on April 4th, 2007.

Cheers
Boris

Thanks for listing us at magnolia

Maybe you didn’t know about us because we started the service
only recently on April 4th, 2007.

Cheers
Boris

Cartes,
You’re abolsutely right.

Right now a bunch of services are popping up around OpenID, which is great news. But it’s up to these services to build security layers on top of OpenID. OpenID alone isn’t enough.

So yes, there will be (fierce) competition between IdP’s. At least I hope so. Because OpenID has major security issues, phishing being the biggest, and it’s up to the IdP’s to solve those issues.

It’ll be fun to watch how things start to shape up in the coming months.

Cheers,
Tara

Cartes,
You’re abolsutely right.

Right now a bunch of services are popping up around OpenID, which is great news. But it’s up to these services to build security layers on top of OpenID. OpenID alone isn’t enough.

So yes, there will be (fierce) competition between IdP’s. At least I hope so. Because OpenID has major security issues, phishing being the biggest, and it’s up to the IdP’s to solve those issues.

It’ll be fun to watch how things start to shape up in the coming months.

Cheers,
Tara

I am sure there will be competition between IdP’s. Some IdP’s even have similar solutions to phishing as PassPack has.

While OpenID is still not perfect I’m confident that all major problems will be solved someday because the OpenID community is aware of them and doesn’t deny them; some of them are even mentioned in the specs.

I am sure there will be competition between IdP’s. Some IdP’s even have similar solutions to phishing as PassPack has.

While OpenID is still not perfect I’m confident that all major problems will be solved someday because the OpenID community is aware of them and doesn’t deny them; some of them are even mentioned in the specs.

[...] are some people who consider OpenID providers a risk to privacy because providers are able to monitor all the sites [...]

[...] personal data and use it for commercial purposes, e.g. a German guy started an initiative called OpenID – Nein Danke (OpenID – No Thanks) a few months ago because OpenID providers had the opportunity to create [...]